Sometimes, the best way to advance is in reverse. If you want to know how something works, you take it apart very carefully. That’s exactly what this book shows you- how to deconstruct software in a way that reveals design and implementation details, sometimes even source code. Why? Because reversing reveals weak spots, so you can target your security efforts. Because you can reverse engineer malicious code in order to neutralize it. Because understanding what makes a program work lets you build a better one. You’ll learn how here.

Understand when reverse engineering is legal, and when-and why- it may not be.

See how hackers use reversing to defeat copy protection technology.

Find out how to pull the plug on malicious code.

Determine how to prevent others from reversing your code, and find out how effective such steps can be.

Introduction

As an official member of the “I hate malware” club, I am always looking for ways to defeat it, as well as analyze how and what various malicious applications are doing. With the onslaught of malicious programming, and the money to be made by the authors, it is becoming increasingly impossible for automated scans to keep up with everything. The time is coming when Computer Security professionals will need to be able to conduct analysis on their own. Secrets of Reverse Engineering represents one of the latest entries into the field.

Review Comments

Secrets of Reverse Engineering is divided into 4 sections, starting with Reversing 101, which is a discussion of all of the basics. The section begins with a discussion of the reasons for reverse engineering, as well as the legalities of doing so. Needless to say, the concept of reverse engineering in general has less than honorable connotations, when in fact there are perfectly legitimate reasons for reversing a program; evaluating the robustness of software, interacting with proprietary software, and analyzing potential threats to a system are just a few reasons.

The second section deals with applied reversing, first by reversing ntdll.dll, then reversing proprietary code, then binary auditing, and finally, Backdoor.Hacarmy.D, a remote access Trojan. What makes this part interesting (and fun, if you are into this sort of thing) is that source code is available from the publisher’s website, enabling those who choose to get some hands on practice. The difference between this and the thousands of “How-To-Reverse” tutorials all over the web is the depth of coverage. Eilam explains not only the hows, but the whys of what we are doing, and presents it in a larger context that enables the reader to apply the techniques and methods to other applications.

Section three focuses on piracy, copy protection, and anti-reversing methods. While the chapter on breaking protections will probably be the most popular, I found the chapter on anti-reversing techniques to be most interesting in this section. With fairly simplistic code, one can make it much harder to recover your source code. Eliam walks the reader through a fairly complex protection scheme that is both interesting and informative, and also makes the source code available for hands on analysis. In this case, I feel that it is almost essential to follow hands on because of the complexity of the protection. Different types of piracy and copy protection are briefly discussed also.

The final section reaches beyond disassembly to discussing how to reverse engineer interpreted languages using Microsoft’s .NET as an example, as well as Microsoft Intermediate language. The nice part about this chapter is that it shows what some common functions look like when disassembled. Part of the problem for “rookie” reversers is not being able to recognize what is happening with disassembled code. Once typical code structures have been illustrated, the disassembled code begins to make a bit more sense, and the atypical begins to stand out. Finally, the section closes out with a nice chapter on decompiling, the various approaches used, and the algorithms and problems involved when attempting to automatically generate higher level code from assembly. One decompiler mentioned is Andromeda, which currently is under development, but at least on the surface seems promising.

Style and Detail

Without mincing words, this is a tough read. Not because it is presented poorly, or the groundwork was not properly laid, but rather because the material presents some advance concepts, that at least for me, are going to take a few more times through to absorb. That is not the fault of the author though, but rather the nature of the material. It is all understandable, it just takes a bit to digest.

Of the tools discussed, there were also free alternatives listed. For those that may only need to analyze files from time to time, there is no need to spend hundreds of dollars. Screenshots of the various tools in action are adequate to help the reader visualize what is being discussed, should they choose to not download the sample source code.

The diagrams and code samples are all helpful, and the information proceeds in a more or less logical manner. Each chapter ends with a conclusion of what you should have learned in the previous chapter, which I found to be oddly helpful in that it either was able to summarize what I had just read, or made it painfully obvious that I needed to back up and try to better understand the material being presented.

Conclusion

I only have a couple of minor criticisms. First, the topic of packers was not at all discussed. Perhaps the publisher or author felt it was outside the scope of the text, but packers represent a very real obstacle to reversing, and I don’t think that it would have been too difficult for the intended reader to grasp. Programs like Yoda’s Protector not only pack the files, but automatically employ anti-debugging code. Packers are quickly gaining favor in the malware arena, and I can’t imagine why anyone who wants to protect their code wouldn’t be using some kind of packer to begin with.

The other criticism I have is that I think the chapter on foundations was not really necessary. If you don’t have at least some programming knowledge, then you probably will not at all understand the material covered, and if you are familiar with programming, then you already have a grasp of the differences between high level and low level programming. It does provide an easily digestible lead into the harder material though.

This is not a “How-Do-I-Remove-Nagscreens” type of book. It covers the topic on a more abstract level, which means the reader should, at a minimum, have knowledge of software development. It also wouldn’t hurt to have at least some familiarity with operating systems. Anything less than that, and I think the reader will be hopelessly confused.

This book receives an honored SFDC Rating of 8/10.

Chad Clites
Security-Forums Dot Com

This review is copyright 2005 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.